Service Catalog Offboading

dheeraaj · ‎12-22-2016

Hi All,

Need few suggestions on how to improve the Off boarding process.

Currently, when I submit an Offboarding request, 31 RITM's are getting generated. These RITM's are all different applications . I want to know the best way to develop a mechanism, which knows "to what applications a user has access to and only generate those application RITM's".

Today , when we are offboarding a single user, it is generating 31 RITMS, and each RITM is going a different fulfillment group depending of the application. Though the user don't have access to the applications, those RIMT's are getting generated. The groups to which these tasks are assigned are over headed with this manual work.

I am also attaching screen shots for a clear picture

Need some mechanism, which can improve the process.

Help is appreciated.

Thank you.

Regards,

Dheeraaj

TrevorK · ‎01-03-2017

Sorry for the late reply - I was away for the holidays.

Yes - that is how we do it. We have a custom table in ServiceNow that holds the name of the user, the application they have access to, and the level of access within the application. If the application has multiple levels of access for a single user, there are multiple rows for a user. This allows us to tie together, with the user reference field, what access each user has.

This would allow a manager to see what access an employee has at any given time, as well as allow you to secure it as you would other records (e.g.: using a manager field on the user record). Your offboarding/termination form would then only allow someone to select access to remove that they already have - for example, removing their PeopleSoft account would only be available if the user had a PeopleSoft account.

Yes, you could treat your user accounts as Configuration Items if you wanted to. We do not want this so we just use a custom table. But there is nothing stopping you from holding this information within your CMDB. It would be much more complex though because you would need to have many more relationships.

Hopefully that helps! Any questions let me know!

View solution in original post

TrevorK · ‎12-22-2016

I think what you are looking for is primarily outside of ServiceNow because in order to tell what RITMs to generate, you need a table that has all of their accounts within your Enterprise. There are several ways to do this of course.

Ourselves, we maintain a database (outside of ServiceNow) that has all of our Enterprise Access in it. Every night we replicate this in ServiceNow (through the MID server), which allows us to then query it in ServiceNow and use it for our account terminations as well as account inquiries (e.g.: what access does Joe have?).

Another way to do this is if you are able to enforce account creation and termination within ServiceNow. As in, accounts are only created, modified, or deleted with a ticket (that can then be used to populate a table). While great in principle, not sure how well this would work in practice. To me, there is a lot of room for failure. We care about whether someone has an account, and for that it's my opinion we go to a best source of information - the application itself.

In either scenario, your order guide will only show the items that the user has access to because you have that information in SN (using the above examples, not out of the box).

Again, I think what you are looking for is primarily outside of ServiceNow - you need a way to determine if a user has an account in a system, and I think the realistic way to do this is having a table with this information. While you could most certainly integrate with each of your systems to query them for an account, my personal experience is that would be very difficult to do (politically, and possibly technically with older applications).

Hopefully that helped a bit!

Blaze2 · ‎12-22-2016

You can create the request with 2 fields.

1. would have all of the basic applications/business services

AD, Email, Security Badge, Parking Gate Pass. etc.

2. would have a list of all the applications, business services

The Basic access would automatically create those tasks to the appropriate teams.

The manager who is submitting the request and should know the access that the person has, can select which applications/business services to terminate.

On the back end, the tasks would only generate for those items that were selected.

dheeraaj · ‎12-23-2016

Thanks Blaze,

Can we leverage the CMDB table to implement the functionality.

Thank you.

Blaze2 · ‎12-23-2016

Absolutely,

If you track application membership, as well as device ownership, that information can be drafted to the request

So you can have
Employee Name

Application Access which references assigned to user in a list form since there may be multiple

Device Ownership which references devices ownership in list form since there may be multiple

Then your RITM and subsequent Tasks can have the specific variables that should be carried over

IE - Security cuts off VPN they don't need the hardware information